6.
An unbelievable story…
There is no formal definition of an injection triggered by
query string delimiters
As far as we know, no one has never formalized an
injection based attack against delimiters of the most used
protocol on the web: HTTP
HPP is surely around since many years, however it is
definitely underestimated
As a result, several vulnerabilities have been discovered in
real-world applications
OWASP AppSecEU09 Poland

7.
Introduction 1/2
The term Query String is commonly used to
refer to the part between the “?” and the end of
the URI
As defined in the RFC 3986, it is a series of field-
value pairs
Pairs are separated by “&” or “;”
The usage of semicolon is a W3C
recommendation in order to avoid escaping
RFC 2396 defines two classes of characters:
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( )
Reserved: ; / ? : @ & = + $ ,
OWASP AppSecEU09 Poland

12.
Additional considerations 2/2
Unfortunately, application behaviors in case of multiple occurrences
may differ as well
This is strongly connected with the specific API used by our code
In Java, for example:
javax.servlet.ServletRequest Interface (Query String direct parsing)
java.lang.String getParameter(java.lang.String name)
Returns the value of a request parameter as a String, or null if the
parameter does not exist
java.lang.String[] getParameterValues(java.lang.String name)
Returns an array of String objects containing all of the values the given
request parameter has, or null if the parameter does not exist
As a result, the applications may react in unexpected ways…as you
will see!
OWASP AppSecEU09 Poland

18.
HPP Categories
We are not keen on inventing yet another buzzword.
However, the standard vulnerability nomenclature seems
lacking this concept
Classification:
Client-side
1. First order HPP or Reflected HPP
2. Second order HPP or Stored HPP
3. Third order HPP or DOM Based HPP
Server-side
1. Standard HPP
2. Second order HPP
According to our classification, Flash Parameter Injection*
may be considered as a particular subcategory of the HPP
client-side attack
* http://blog.watchfire.com/FPI.ppt OWASP AppSecEU09 Poland

19.
Encoding & GET/POST/Cookie precedence
Several well-known
encoding techniques may
be used to inject
malicious payloads
The precedence of
GET/POST/Cookie may Apache Tomcat/6.0.18
influence the application POST /foo?par1=val1&par1=val2 HTTP/1.1
Host: 127.0.0.1
behaviors and it can also
be used to override par1=val3&par1=val4
parameters FIRST occurrence, GET parameter first
OWASP AppSecEU09 Poland

21.
HPP Server Side Attacks 2/2
A malicious user may send a request like:
http://frontendHost.com/page?amount=1000&recipient=Mat%26action%
3dwithdraw
Then, the frontend will build the following back-end request:
HttpRequest(quot;http://backendServer.com/servlet/actionsquot;,quot;POSTquot;,
quot;action=transfer&amount=quot;+amount+quot;&recipient=quot;+beneficiary);
action=transfer&amount=1000&recipient=Mat&action=withdraw
Obviously depends on how the application will manage the
occurrence
OWASP AppSecEU09 Poland

22.
HPP Server Side - WebApp Firewalls
What would happen with WAFs that do Query String parsing before
applying filters?
HPP can be used even to bypass WAFs ☺
Some loose WAFs may analyze and validate a single parameter
occurrence only (first or last one)
Whenever the devel environment concatenates multiple occurrences
(e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …), an aggressor can
split the malicious payload.
http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2>
par=<Payload_1>~~<Payload_2>
OWASP AppSecEU09 Poland

26.
Google Search Appliance - HPPed !
Once upon a time, during an assessment for XXX…
GSA was the LAN search engine exposed for public search as well,
with only three controllable values
The parameter named “afilter” is used unencoded
By polluting GSA parameters, appending %23 (“#”), we got full
access to internal results
OWASP AppSecEU09 Poland

27.
ModSecurity - HPPed !
ModSecurity SQL Injection filter bypass
While the following query is properly detected
/index.aspx?page=select 1,2,3 from table where id=1
Using HPP, it is possible to bypass the filter
/index.aspx?page=select 1&page=2,3 from table where id=1
Other vendors may be affected as well
This technique could potentially be extended to
obfuscate attack payloads
Lavakumar Kuppan is credited for this finding
OWASP AppSecEU09 Poland

28.
HPP Client Side attacks 1/2
HPP Client Side is about injecting additional
parameters to links and other src attributes
Suppose the following code:
<? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?>
<a href=quot;/page.php?action=view&par='.<?=$val?>.'quot;>View Me!</a>
There's no XSS, but what about HPP?
It’s just necessary to send a request like
http:/host/page.php?par=123%26action=edit
To obtain
<a href=quot;/page.php?action=view&par=123&amp;action=editquot;>View Me!</a>
OWASP AppSecEU09 Poland

29.
HPP Client Side attacks 2/2
Once again, it strongly depends on the
functionalities of a link
It's more about
Anti-CSRF
Functional UI Redressing
It could be applied on every tag with
Data, src, href attributes
Action forms with POST method
OWASP AppSecEU09 Poland

31.
HPP Client Side - FPI, the HPP way
As mentioned, an interesting case of HPP is the
Flash Parameter Injection by Ayal Yogev and
Adi Sharabani @ Watchfire
FPI is about including FlashVars in the html itself
when the vulnerable flash is directly dependent
on the page itself
A FPI will result in the injection of additional
parameters in the param tag
E.g. Piggybacking FlashVars
http://myFlashApp/index.cgi?language=ENG%26globalVar=<HPP>
OWASP AppSecEU09 Poland

35.
Excite - HPPed !
Sweet dogs? Click anywhere on an image...
This is a kind of content pollution
Even if the example seems harmless, it may help to
successfully conduct social engineering attacks
OWASP AppSecEU09 Poland 35

36.
MS IE8 XSS Filter Bypass - HPPed !
IE8 checks for XSS regexp in the query string
parameters, as well as it searches for them in the
output
When there's a .NET application, multiple
occurrences of a parameter are joined using “,”
So param=<script&param=src=”....”> becomes
<script,src=”...”> in HTML
As you can imagine, it bypasses the IE8 XSS filter
Alex Kuza is credited for this finding
OWASP AppSecEU09 Poland

39.
PTK Forensic - HPPed !
PTK, an alternative Sleuthkit Interface
PTK is a forensic tool with a web based frontend
written in PHP, included in the SANS SIFT
The investigator can mount a DD image and
then inspect files, using the Web2.0 UI
Here, HPP is the key to exploit a critical
vulnerability*
“...Once the investigator selects a specific file from the image filesystem, PTK
invokes the following script:
/ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1
...”
* http://www.ikkisoft.com/stuff/LC-2008-07.txt OWASP AppSecEU09 Poland

41.
PTK Forensic - HPPed !
Crafting a filename as
Confidential.doc&arg1=;EvilShell;...
It is actually possible to tamper the link, leading to code
execution since PHP considers the last occurrence
.../file_content.php?arg1=null&arg2=107533&arg3=Confidentia
l.doc&arg1=;EvilShell;...&arg4=1
Demonstration video of the attack: http://www.vimeo.com/2161045
As a result… …Stored HPP!
OWASP AppSecEU09 Poland

42.
PHPIDS - HPPed !
PHPIDS is a state-of-the-art security layer for
PHP web applications
When dealing with DOM based HPP, PHPIDS
could be fooled
If the DOM based location parsing gets the first
occurrence, then PHPIDS will consider only PHP
behavior
It means the last occurrence, thus no alert and
XSS attacks still possible!
OWASP AppSecEU09 Poland

44.
Conclusion
HPP is a quite simple but effective hacking technique
HPP affects server side as well client side components
The impact could vary depending on the affected
functionality
We are going to release a whitepaper about these and
other issues, including all technical details. Stay tuned!
HPP requires further researches in order to deeply
understand threats and risks. Several applications are
likely vulnerable to HPP
Standard and guidelines on multiple occurrences of a
parameter in the QueryString should be defined
Awareness for application developers is crucial
OWASP AppSecEU09 Poland

45.
Q&A
Time is over! Thanks!
If you have further inquiries, please contact us:
luca.carettoni@ikkisoft.com
stefano.dipaola@mindedsecurity.com
OWASP AppSecEU09 Poland